As a result of the increasing popularity and acceptance of the computer and the Internet and other forms of networked communications, electronic transactions and documents are increasing in number and significance. For example, the volume of consumer purchases, business-to-business commerce, and stock trading and other forms of investing that occur over the Internet and/or wireless networks is steadily increasing, as are other forms of online commerce. In addition, the number of documents which are generated or available electronically and the number of documents which exist only in electronic form (e.g., the paperless office) are also steadily increasing.
The increasing number of electronic transactions and documents leads to a corresponding need for reliable methods for making records of these transactions and documents. For example, when a consumer purchases an item over the Internet using his credit card, it is desirable to make a reliable, non-disputable record of the purchase. If two corporations electronically “sign” a contract, it is desirable to record both the act of signing and the contents of the contract. In the paperless office, it is desirable to “digitally notarize” certain documents, thus ensuring that their existence at a specific time can be proved at a later date.
One approach to the records problem makes use of cryptography. The characteristics of public key cryptography in particular may be used in various ways to make strong records of transactions. For example, in the consumer Internet example, a consumer with a digital certificate might create a digital signature of his order including the credit card number, thus creating a record of the purchase. In the contract example, the two corporations might similarly create a two-party digital signature of the contract, each corporation using its digital certificate. In the digital notary example, a third party (i.e., the notary) might witness the document by affixing a time stamp and a digital signature to the document.
Secure (e.g., encrypted) email and document signing and verification via public key cryptography rely on the use of private and public key pairs. Public keys can include identity keys, digital or identity certificates, and the like. When networked devices want to interact with entities over the Internet via secure email, the networked devices' local key stores must contain the entities' public keys for the networked devices to verify the entities' cryptographic signature or enable encrypted data exchanges with the entities. However, networked devices and their users often encounter difficulties when interacting or exchanging signed and encrypted documents with other entities over the Internet via secure email. For instance, no general adopted means currently exists for the users to discover and obtain public keys required for such secure interactions or data exchanges. Instead, provisioning of sender public keys into a recipient's local key store is currently a manual process not familiar to most users. Even for users that are familiar, the manual process is error prone and usually involves exchanging public keys with the sender over an insecure communication channel via an out-of-band method, thus subjecting “secure” interactions and exchanges to compromise. Moreover, users trust certificates that are signed by any one of many certificate authorities, but certificate authorities are not foolproof and indeed have mistakenly signed unauthorized certificates.
Thus, there is a need for simple and intuitive approaches for users to discover and obtain public keys required for conducting public key cryptography-based secure interactions or data exchanges.